Data theft from computers is a serious risk in many organizations. The common use of data storage devices such as USB flash drives, digital cameras, media players and mobile phones that can be easily interfaced with any PC is big challenge to most organizations. Users may easily download huge files in few seconds without leaving any traces. Data theft from computer systems may disclose secret military plans, private medical records, bank accounts information, insurance data, customer database or any other type of data that may be sold or used against the organization interests. Another risk is the data import (or upload) from storage devices that may load hostile code into the organization computing system. A single event of unauthorized data import into the organization network may cause complete system failure for few hours or even few days. Data Loss Prevention (DLP) becomes a common practice or even mandatory in many high security organizations including: financial, health-care, government and defense. Over the past years there were several common strategies to secure computer peripheral ports:
1. Security policy regarding mass storage devices.
                Some organizations prohibit users from entering the facility carrying mass storage devices, and some conduct searches at the entrance gate. While this method may be efficient deterrent, it is enough that one employee will bring one device to cause severe damage to the whole organization. It is also very difficult to enforce this policy as there are many devices that their secondary function may be mass-storage device. For example—a watch, music player, GPS device, etc. Additionally, due to the miniature size of flash memory storage devices, they are easy to conceal.2. Physical removal or cover of unused ports.        Many organizations are using brute force to remove unused peripheral ports from computers that they are purchasing. While this method reduces the risks of open ports, it still allows users to remove allowed peripheral such as keyboard or mouse and plug unauthorized peripheral such as portable mass storage device. It is also expensive task to treat every purchased computer and may void the manufacturer's warranty.3. USB ports protection by software.        This method is in extensive use today and it enables complete port disable, or specific port filtering. Organizations may use these software applications to enable only keyboard and mouse to be attached to their computers. One major drawback of any software protection is that it may be disabled or modified by a sophisticated attacker with relative ease. For example see product information at available from DeviceLock, 3130 Crow Canyon Pl, Suite 215, San Ramon, Calif. 94583, USA.4. Use of secure KVM to secure coupled computers peripheral ports.        Several secure KVM offering full peripheral ports protection through emulation and unidirectional flow diodes. Combining with USB ports physical or software protection this method may be used to protect peripheral ports. Another potential option used today is that the PC is co-located or locked for user access while only secure KVM with protected ports is accessible. While this method is relatively secured and efficient, it is only applicable for users having multiple computers at their desktop.        
Prior-art solutions for peripheral ports security are mostly relying on application software. Software products like DeviceLock, available from 3130 Crow Canyon Pl, Suite 215, San Ramon, Calif. 94583, USA are adding an MMC snap-in to the group-policy to enable full control of the computer peripheral ports. The main drawback of this solution—just like any other software, professional attacker may alter or completely disable this software to allow full access to peripheral ports. Software components responsible for tracking and reporting software integrity can be modified as well to prevent detection and reporting of such attack.
U.S. Pat. No. 7,320,071 discloses a method and apparatus to provide a secure universal serial bus domain in a security partitioned computer. Such method may be used to create a computer motherboard having two or more USB port trees with different security levels but does not provide protection from unauthorized data import and export. The disclosed method and apparatus also does not provide a way to filter standard peripheral such as keyboard and mouse.
U.S. Pat. No. 7,635,272 discloses a mechanical USB port locking and blocking device that may be used to prevent USB cable disconnect from the computer or prevent unauthorized use of blocked USB ports. This mechanical method may be efficient method for peripheral devices anti-theft but it fails to protect used ports (such as keyboard and mouse) from cable cut attacks or other sophisticated electronic attacks. It also fails to protect other types of computer ports commonly available in standard computers from data theft.
U.S. Pat. No. 7,478,235 discloses a methods and systems for protecting data in USB systems. The disclosed method directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. The disclosed method does not provide protection from unauthorized peripheral devices used and does not provide a method to restrict data import and export risks from such system. The disclosed method is further relying on software application together with hardware functions. This dependence on software tends to reduce the system security as opposed to pure hardware security solutions. It also depending on the operating system and does not provide pre-boot protection.
U.S. Pat. No. 7,677,065 discloses a mechanical combination lock for a USB connector that may be used to lock peripheral devices USB ports. Although a lock like that may prevent users from inserting a USB storage device into their computer, it is impractical to secure all portable storage devices that exist in large organizations. It is much more practical and secure to lock the receptacle side—all USB ports accessible to the users.
United States Patent Application 20090013111 discloses a unidirectional USB Port primarily for use to connect an election machine. While the disclosed method may be used to secure computer USB ports against data export, it lacks the emulation capabilities and therefore cannot be used between standard peripherals and computers.
U.S. Pat. No. 6,820,160 discloses an apparatus for optically isolating a USB peripheral from a USB host. The apparatus disclosed in this patent uses bi-directional optical isolators to provide electrical and ground isolation between computer host and peripherals. While this apparatus may be used to protect computer peripheral ports from power spikes and induced noise, its design is inherently un-secure as it does not provide any host or device emulations and it is bidirectional and therefore data may flow to external peripherals as well. The apparatus disclosed in U.S. Pat. No. 6,820,160 may be used in industrial automation applications to reduce electrical noise and protect from power surge but can not be used to protect a computer from peripheral data leakage risks.
United States Patent Application 20090033668 discloses display EDID emulator system and method. While this patent application discloses a system that emulates EDID, it does not disclose any circuitry that prevents emulated EDID device write or write protection. Without write protection circuitry, data leakage prevention cannot be assured and therefore the system and method disclosed cannot be used for secure applications. The patent also does not disclose emulation or protection of other types of ports.
United States Patent Application 20090212844 discloses an analog circuitry that serves as Information Handling System Port Security. The disclosed system uses certain analog electronic components to sense the presence of a removable peripheral device and to control the power source to that device accordingly. Such system may not be used to detect the type of attached device or to prevent data import or export from the device. The disclosed method and apparatus may not detect externally powered mass storage peripheral devices and does not have proper security means to prevent boot or data transfer to such device.
What is needed is a computer that comprises a built-in, hardware based, peripheral protection circuitry to secure each one of the user-accessible peripheral ports. A security function that will prevent data export by hardware means independent of computer BIOS, operating-system or applications.